nat and firewall traversal with stun / turn / ice · address as seen from peer (instead of stun...
TRANSCRIPT
Copyright Viagénie 2008
NAT and Firewall Traversal with STUN / TURN / ICE
Simon Perreault
Viagénie
{mailto|sip}:[email protected]
http://www.viagenie.ca
Copyright Viagénie 2008
Credentials● Consultant in IP networking and VoIP at Viagénie.● Developed Numb, a STUN / TURN server.● Ported FreeSWITCH to IPv6.● Co-ported Asterisk to IPv6.● Developed many custom VoIP applications.
Copyright Viagénie 2008
Plan
● The problem of NAT and firewalls in VoIP● How STUN, TURN, and ICE solve it● Asterisk specifics● Wireshark traces
Copyright Viagénie 2008
The Problem of NAT and Firewalls in VoIP
● Network address translators (NATs) are common devices that “hide” private networks behind public IP addresses.
● Connections can be initiated from the private network to the Internet, but not the other way around.
● Having separate addresses for signaling and media makes the situation worse.
Copyright Viagénie 2008
Server-Reflexive Address
● A NAT device works by associating a public address and port with a private destination address and port.
Public Private 206.123.31.67 : 55123 ↔ 192.168.1.2 : 5060
● Valid for duration of flow– Meaning of “flow” for UDP?– Must be kept alive.
● Useful to discover this address.
Copyright Viagénie 2008
STUN
● Session Traversal Utilities for NAT (STUN): simple protocol for discovering the server-reflexive address.– Client: Where do you see me at?– Server: I see you at 206.123.31.67:55123.
● A STUN server is located in the public Internet or in an ISP's network when offered as a service.– Double NATs pose an interesting problem...
Copyright Viagénie 2008
STUN Binding RequestSource: 192.168.201.128:45897
STUN Binding RequestSource: 206.123.31.67:55123
STUN Flow Diagram
STUN client192.168.201.128
NAT192.168.201.2 - 206.123.31.67
STUN server64.251.14.14
STUN Binding ResponseDestination: 206.123.31.67:55123
Payload: 206.123.31.67:55123
STUN Binding ResponseDestination: 192.168.201.128:45897
Payload: 206.123.31.67:55123
Copyright Viagénie 2008
STUN
● It turns out that some NAT devices try to be clever by inspecting the payloads and changing all references to the server-reflexive address into the private address.
● STUN2 obfuscates the address by XORing it with a known value.
● TCP and UDP are supported over IPv4 and IPv6.
Copyright Viagénie 2008
Server-Reflexive Address
● A client who knows its server-reflexive address could use it in place of its private address in the SIP headers.– Not the intended usage. See sip-outbound IETF draft.
● Intended usage: RTP ports.● RTP port ⇒ NAT binding ⇒ STUN request
Copyright Viagénie 2008
Symmetric NATs
● Some NAT devices only allow packets from the remote peer to reach the NATed peer.– Address dependent– Port dependent– Both– Implication: knowing server-reflexive address is useless.
● These NAT devices are called symmetric NATs.– Often “enterprise” NATs many devices⇒ .– Significant presence, must be worked around.
Copyright Viagénie 2008
TURN
● Makes devices behind symmetric NATs reachable.– Device initiates and maintains connection to relay.
● Traversal Using Relays around NAT (TURN)– Protocol between NATed device and relay.– Built on top of STUN.
● TURN server is located outside the NAT.– On the public Internet– or in an ISP's network when offered as a service by the ISP.
Copyright Viagénie 2008
TURN Flow DiagramTURN client
192.168.201.128 NATTURN server64.251.14.14
SIP peer
TURN Allocate TURN Allocate
Allocate ResponseRelayed address:64.251.14.14:51292
Allocate ResponseRelayed address:64.251.14.14:51292
Keep-alive
SIP InviteSDP c= line:64.251.14.14:51292
SIP InviteSDP c= line:64.251.14.14:51292
RTP packetTURN Data Indication+ RTP packetTURN Data Indication
+ RTP packet
Allocate a port
Copyright Viagénie 2008
Relayed Address
● The address allocated by the TURN server is called the relayed address.– TURN server communicates it to TURN client.– TURN client communicates it to SIP peer.
● The TURN client may use it in the SIP headers.● Intended usage: RTP ports.● RTP port ⇒ NAT binding ⇒ TURN allocation
● TURN guarantees communication in all NAT cases unless there is an explicit firewall policy to prohibit its use.
Copyright Viagénie 2008
Disadvantages of TURN
● TURN server is in forwarding path.– Requires a lot of bandwidth.– Server must remain available for the whole duration of the
allocation.– Triangle routing results in longer path.
● Encapsulation.– Lowers MTU (not so much a problem for VoIP packets).– Additional headers consume a bit more bandwidth.– Firewall must inspect payload to discover real sender.
● Allocation must be kept alive.
Copyright Viagénie 2008
Disadvantages of TURN
● ICMP not relayed.– No path MTU discovery.
● TTL not properly decremented.– Possibility of loops.
● DiffServ (DS) field not relayed.● As of now only IPv4 and UDP.
Copyright Viagénie 2008
Mitigating Mechanisms
● Availability and scalability provided by anycast.– Only used for discovery, server must remain up for the
duration of the allocation.● Channel mechanism for minimizing header size.
– 4 bytes only.● Permission mechanism enforced by TURN server.
– Only peers previously contacted by client may send data to relayed address.
– Firewall may “trust” the TURN server, no payload inspection.● Keep TURN server close to NAT device.
– Offered as a service by ISPs.
Copyright Viagénie 2008
IPv4 and IPv6 Interoperability
● TURN will also be used to relay packets between IPv4 and IPv6.
● Alleviates load from the B2BUA.– Designed for relaying performance.– Anycast ensures scalability and reliability.
● TURNv6 draft still in progress.
Copyright Viagénie 2008
Numb
● Numb is a STUN and TURN server developed by Viagénie.– Supports IPv4 and IPv6 in mixed scenarios.– Supports anycast.
● Free access at http://numb.viagenie.ca● To install it in your own network, contact us:
Copyright Viagénie 2008
Connectivity Establishment
● Many addresses may be available:– Host addresses.– Server-reflexive address.– Relayed address.– Each in IPv4 and IPv6 flavour!– Each in UDP and TCP flavour!
● Which one to choose?● Need for an automatic connectivity establishment
mechanism.
Copyright Viagénie 2008
Interactive Connectivity Establishment (ICE)
● Conceptually simple.– Gather all candidates (using STUN/TURN).– Order them by priority.– Communicate them to the callee in the SDP.– Do connectivity checks.– Stop when connectivity is established.
● Gnarly details:– Keep candidates alive.– Agree on priority.– Reduce delays and limit packets.
Copyright Viagénie 2008
Peer-Reflexive Address
● Remember: Server-reflexive address useless with symmetric NAT.
● Address as seen from peer (instead of STUN server) is peer-reflexive address.– Works even with a symmetric NAT.
● ...but not two of them (TURN still necessary).● During ICE connectivity checks, peer-reflexive
candidates are gathered and prepended to check list.● Information reuse between ICE instances.
Copyright Viagénie 2008
ExamplesSTUN server64.251.14.1464.251.22.149
206.123.31.672620:0:230:c000:67
192.168.201.2
192.168.201.128
NAT + DNS server
DNS server206.123.31.22620:0:230:8000:2
SIP registrar206.123.31.982620:0:230:c000:98
Copyright Viagénie 2008
Asterisk Specifics
● NAT traversal in 1.6 was greatly enhanced– Can define internal NATed network (localnet)– Can determine external address either...
● directly (externip)● via dynamic DNS (externhost)● with a STUN client (stunaddr)
● RFC 3581 rport mechanism (nat = yes)● Don't re-INVITE internal ↔ external calls
(canreinvite = nonat)
Copyright Viagénie 2008
Deployment
● ISPs are deploying STUN / TURN servers within their network.
● TURN a part of the IPv6 migration.● SIP client vendors are implementing ICE.● B2BUAs also should implement ICE.
Copyright Viagénie 2008
Conclusion
● Discussed– The problem of NAT and firewalls in VoIP– How STUN, TURN, and ICE solve it
● Obtaining a server reflexive address via STUN● Obtaining a relayed address via TURN● Telling the other party about these addresses via ICE● Making connectivity checks● Obtaining peer reflexive addresses
● STUN / TURN / ICE stack too thick? Use IPv6!
Copyright Viagénie 2008
Questions?
This presentation: http://www.viagenie.ca/publications/
STUN / TURN server: http://numb.viagenie.ca
References:
STUNv1 RFC: http://tools.ietf.org/html/rfc3489
STUNv2 draft: http://tools.ietf.org/html/draft-ietf-behave-rfc3489bis
TURN draft: http://tools.ietf.org/html/draft-ietf-behave-turn
ICE draft: http://tools.ietf.org/html/draft-ietf-mmusic-ice